apk package

chainguard/linux-gcp-6.12

pkg:apk/chainguard/linux-gcp-6.12

Vulnerabilities (252)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-31623	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622	Hig	8.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31607	Cri	9.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU.
CVE-2026-31584	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work.
CVE-2026-31583	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which f
CVE-2026-31582	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dere
CVE-2026-31581	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed
CVE-2026-31580	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace
CVE-2026-31578	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as
CVE-2026-31577	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map()
CVE-2026-31576	Hig	7.8		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev
CVE-2026-31575	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns
CVE-2026-31531	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 23, 2026	In the Linux kernel, the following vulnerability has been resolved: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for single
CVE-2026-31431	Hig	7.8	KEV	< 6.12.83-r2	6.12.83-r2	Apr 22, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the so
CVE-2026-23442	Med	5.5		< 6.12.85-r0	6.12.85-r0	Apr 3, 2026	In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by

CVE-2026-31623MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31607CriApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU.
CVE-2026-31584HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work.
CVE-2026-31583HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which f
CVE-2026-31582HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dere
CVE-2026-31581HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed
CVE-2026-31580HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace
CVE-2026-31578HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as
CVE-2026-31577MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map()
CVE-2026-31576HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev
CVE-2026-31575MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns
CVE-2026-31531MedApr 23, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() When querying a nexthop object via RTM_GETNEXTHOP, the kernel currently allocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient for single
CVE-2026-31431HigKEVApr 22, 2026
affected < 6.12.83-r2fixed 6.12.83-r2
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the so
CVE-2026-23442MedApr 3, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by

Page 2 of 13